Millions of iPhone users around the world have been urged to update their operating systems after researchers uncovered a vulnerability allowing hackers to infiltrate devices without users even clicking a link.
The flaw in the iMessage software allowed hackers to infect devices without the users clicking a malicious link.
Instead, it comes from a weakness in the way iMessage automatically renders images, researchers from the University of Toronto’s information and communications security department Citizen Lab found.
In this case, the hackers silently sent corrupt files that appeared to be .GIF extensions, but were actually Adobe PDF files that held dangerous code. It has already been exploited by clients of Israeli spyware firm NSO Group, the researchers claim.
Citizen Lab was the first to uncover the vulnerability while examining a Saudi activist’s phone, and claims the flaw has been exploited since February 2021.
Pegasus spyware can hack into a device and harvest information, intercept calls and messages and even record.
In 2019, Facebook accused NSO Group of being complicit in the hacking of 1,400 devices through WhatsApp.
However, NSO Group disputed those allegations and maintains that its spyware is only meant to be used by government and law enforcement agencies to target and monitor criminals and terrorists.
Apple security engineering and architecture head Ivan Krstić thanked Citizen Lab for identifying the vulnerability.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” he said in a statement.
He added that while the vulnerability is significant, it’s not considered a threat to most Apple users.
Apple has not issued a comment on whether the hacking technique was developed by NSO Group.
Citizen Lab said its research highlights the risks messaging apps can pose to phones, and the importance of ensuring those apps are secure.
“Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them,” Citizen Lab said.
“As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”
How to update your device
Apple users can update their devices by heading to Settings, then General and then tap Software Update and Install Now.
You can either set your device to automatically update when attached to power, or select to install any updates then and there. Generally speaking, you will need to attach your device to power and be connected to WiFi or mobile data to update your device.